The materials teach how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas and caveats are included. I discuss why escaping is usually the wrong choice, which practices to avoid or follow and how stored procedures sometimes offer no protection at all.

The presentation (as posted to Slideshare) starts with some of the basics - what SQL injection is and an example of how it could be used to bypass security. He covers how to use prepared statements in each of the technologies (with code snippets), methods for escaping data and how to create stored procedures that are protected from the same threats.

]]>Fri, 12 Aug 2011 09:20:13 -0500http://www.phpdeveloper.org/news/8540http://www.phpdeveloper.org/news/8540
David Coallier has posted about a database abstraction layer that he's been developing for PHP 5.2.x only systems and wants some opinions on his methods:

I made a very light DBAL that uses PHP5.2.x only (Since many people seem to want that) and it has the exact same DSN syntax as MDB2 for now and the query method are also called the same (No API Changes). [...] The main goal of the DBAL is to have a very effective and light way of switching RDBMS but also the possibility to change your DBAL to something more "0feature complete" as such as MDB2.

He includes the list of query method names and the types of databases that he wants it to support (as well as mentioning the fact that it would be unit tested for reliability).

]]>Tue, 28 Aug 2007 09:32:00 -0500http://www.phpdeveloper.org/news/8425http://www.phpdeveloper.org/news/8425
On the Planet SoC blog today, there's this look at how ifehhali added foreign key support to the MDB2_Schema_Writer as a part of his Summer of Code project to improve the PEAR::MDB2_Schema package.

MDB2_Schema_Writer is the responsible for dumping a database schema to a XML file. It walks into a database definition and outputs the correspondent XML tags.

He gives an example of checking a table (in $table) to see if it has constraints and check its validity. If everything's okay, the script pushes data into a buffer of specially formatted XML data.

]]>Fri, 10 Aug 2007 08:41:00 -0500http://www.phpdeveloper.org/news/8002http://www.phpdeveloper.org/news/8002
On CodePoets.co.uk, there's a new tutorial posted by David Goodwin showing how to use PHP with the PEAR MDB2 component to access your database backend.

While writing some PHP Training materials for Pale Purple, I thought I'd add an updated guide on PHP and database access. I've already done one on PEAR::DB, but PEAR::MDB2 is it's successor and has a slightly different API.... and as PEAR::DB is now deprecated, it's probably about time I rewrote it anyway.

Davidlooks at what the MDB2 package is, how to install it, connecting to your database and including some error handling as well. He (thankfully) also touches on one of the most handy features of the package - the prepared statements and the security they can offer.

]]>Thu, 07 Jun 2007 13:56:00 -0500http://www.phpdeveloper.org/news/7966http://www.phpdeveloper.org/news/7966
In response to several other posts lately about the PEAR::DB package in PEAR (and things that could be done to improve it), David Coallier got a bit fed up and shared his opinion - "PEAR::DB is deprecated, got it?"

All new features are made into MDB2 and not DB, the only thing that is being done on DB is security fixes. So MDB2 is first of all, faster, smaller (Because of it's driver and modularity), easier, and has more features (LOB handling, Iterator, etc) and better end-user documentation, quite solid docs indeed.

Of course, the comments of the post are full of people arguing to keep it around and others that agree with David, especially in light of a MDB2 driver for the Zend Framework he mentions.

]]>Mon, 04 Jun 2007 15:21:00 -0500http://www.phpdeveloper.org/news/7633http://www.phpdeveloper.org/news/7633
The PHP.net site has made the official announcement of the PHP projects involved with this year's Google Summer of Code:

The PHP team is once again proud to participate in the Google Summer of Code. Seven students will "flip bits instead of burgers" this summer:

Also, be sure to check out some of the other organizations and students participating on the Summer of Code website.
]]>Mon, 16 Apr 2007 12:41:00 -0500http://www.phpdeveloper.org/news/7214http://www.phpdeveloper.org/news/7214
Cal Evans of the Zend Developer Zone has posted a new book review of one of Packt Publishing's latest PHP-related offerings - "PHP Programming with PEAR".

For those who have been living under a virtual rock for a while now, PEAR is the "PHP Extension and Application Repository". In a nutshell, it is a collection of classes, it's a framework, and it's a distribution system. Most importantly though, it's an excellent place to find the classes you need so you don't have to re-invent the wheel. (Ok, beginner's time is over, I promise).

He mentions what the book covers (which packages) and highlights some of his favorite bits, including the chapter on web services.

]]>Fri, 02 Feb 2007 19:04:00 -0600http://www.phpdeveloper.org/news/7064http://www.phpdeveloper.org/news/7064
David Coallier has written up a quick post on his blog today with a helpful hint on getting the Zend Framework up and running without the use of PDO for the database connection.

For those who wanted to use the Zend Framework on server but didn't have all the access to install PDO or such will now be able to do so. I have a fix that now MDB2 (PHP5 Only) can be used instead of PDO.

He gives an example of its usage (creating a factory object) and how to get the MDB2 adapter installed correctly to get the Zend Framework to recognize and use it.

]]>Tue, 09 Jan 2007 15:04:00 -0600http://www.phpdeveloper.org/news/7050http://www.phpdeveloper.org/news/7050
In this new blog post, Stoyan Stefanov shares a method he's found to reuse an existing database connection with the MDB2 library.

This is a follow up to a question posted by Sam in my DB-2-MDB2 post. The question was if you can reuse an exisitng database connection you've already established and not have MDB2 creating a second connection.

]]>Mon, 08 Jan 2007 12:33:00 -0600http://www.phpdeveloper.org/news/7045http://www.phpdeveloper.org/news/7045
Users of the PEAR::DB module now have another easy choice for upgrading their code to work with another database package - MDB2. According to this post from Jacques Marneweck, there's a wrapperLukas Smith created to help ease the transition.

The wrapper functionality has been included in the MDB2 package for a while now, and is designed to make things simple when switching from one package to another (as seamless as possible).